In the meetings of the informal NERC Cloud Technical
Advisory Group (CTAG), we’re starting to discuss some of the fundamental
questions that will arise when the CIP standards are revised to accommodate use
of the cloud.
One important question we’ve discussed is, “What is the
difference between SaaS and a BES Cyber System in the cloud?” The reason that’s
an important question is that currently, because the compliance reporting
requirements for medium and high impact BES Cyber Systems require tracking
individual physical and virtual devices used in the cloud, platform CSPs can’t
provide compliance evidence for BCS in the cloud. Therefore, those systems are
effectively “banned” from the cloud today. If a SaaS application had to be
treated as if it were a BCS in the cloud, that could prevent use of SaaS in high
and medium impact CIP environments today.
Let’s rephrase the question above in a way that might help
us find an answer. Suppose a SaaS product performs a function that a BES Cyber
System might normally perform. Since systems that perform one or more of the
BES Reliability Operating Services (BROS) are definitely BCS, let’s choose one
of those services, say “Inter‐Entity Real‐Time Coordination and Communication”
(for a list of the BROS, see pages 17-22 of CIP-002-5.1).
CIP-002-5.1 (page 22) states that this BROS “..includes activities, actions, and conditions
established by policy, directive, or standard operating procedure…”
Note that, while a SaaS product can certainly take the current situation into
account and recommend a particular action, it can’t take that action itself, e.g.,
calling an adjacent Control Center and requesting they make some adjustment.
That action needs to be taken by someone (or some system) located in the
Control Center. The person or system may be supported by information they
receive from a SaaS product, but the SaaS product itself can’t take the action.
The same consideration applies to the other BROS: They
require a person or a system to perform some particular action, meaning the
person or system needs to be in a Control Center, control room, transmission substation,
or some other physical location where those actions are normally performed. A
Control Center employee can’t perform those actions while sitting in front of
their home computer in their bedroom at night. If they were doing that, their
bedroom would need to be declared a Control Center and would need to comply
with all the CIP requirements for physical and cyber security that apply to
Control Centers. Therefore, since SaaS can’t fulfill a BROS, it can’t be a BES
Cyber System.
On the other hand, SaaS products that perform services like configuration
management or remote access authorization may need to utilize BES Cyber System
Information (BCSI). If the SaaS were compromised and the BCSI were obtained by
a malicious party, the information might be used to harm the Bulk Electric
System (BES). Does that make the SaaS a BCS?
No, it doesn’t. In fact, if a NERC entity uses SaaS that
requires BCSI access today, the entity needs to provide evidence that the SaaS
provider followed the CIP requirements that refer to BCSI: CIP-004-7 R6,
CIP-011-3 R1 and CIP-011-3 R2. However, the entity doesn’t need to provide
evidence for the 100+ CIP Requirements and Requirement Parts that would be in
scope if the SaaS were in fact a BCS. Only if a system in the cloud could directly
perform actions like causing a circuit breaker to open a line (which could be
the case if the right wiring were in place), would the cloud system be a BCS; otherwise,
it is SaaS.
Of course, the current CIP standards don’t make any
reference to SaaS, since the compliance burden for the three BCSI requirements falls
entirely on the NERC entity (although the entity will need some minimal
evidence that only the SaaS provider can make available to them). However, when
the standards are revised to accommodate use of the cloud, it’s likely they
will distinguish SaaS providers from Platform CSPs, who could potentially host
entire BES Cyber Systems (along with the connections they require to the
outside world). As they do today, the SaaS providers will need to provide evidence
to their NERC entity customers that they are adequately protecting the BCSI
they utilize, but they will not need to provide all the evidence that an
operator of a medium or high impact BCS in the cloud would need to provide.
If you are involved with NERC
CIP compliance and would like to discuss issues related to “cloud CIP”, please email
me at tom@tomalrich.com.
No comments:
Post a Comment